It’s been said that cybersecurity represents the greatest threat to every sector in the world — and radiology is no exception. Yet most of us probably don’t give it a second thought, seeing it as a problem for multinational companies or an issue for the IT department to take care of.
But this is a dangerous misconception.
Not convinced? Then consider the example of Hollywood Presbyterian Medical Center. In 2017, it was the victim of a ransomware attack where cybercriminals blocked access to essential medical data. Then there were the 80 publicly reported ransomware attacks against small and large hospitals that happened in 2020 alone.
“These attacks can have a direct impact on patient care,” said Erik Decker, assistant vice president and chief information security officer at Intermountain Healthcare. “Impacts can include forcing patients to be transferred, surgeries canceled, and ambulances redirected, which results in delayed care.”
As health care becomes increasingly dependent on internet-connected technologies and the use of data, the cyberthreat will only continue to grow.
“Whether we like it or not, cybersecurity has become a very important part of health care,” Decker said. “Every radiology practice in the country can become a victim of a cyber attack, it’s an issue that we cannot afford to ignore.”
Vigilance is Key to Stopping Cybersecurity Threats
So, what can a radiologist do? Speaking at a Sunday session, Decker presented some practical, common-sense tips for better protecting themselves — and their departments — from cybercrime.
According to Decker, cybersecurity involves much more than having the most secure devices and the latest software. “Even if the IT department does everything it can to protect the hospital from an attack, unfortunately, many security breaches are the result of human error,” he explained.
Take for example email phishing. Here, a hacker sends someone an email that looks deceptively official. It might even be from someone you know. But as soon as you click on a link, you’ve opened yourself — and your organization — to a potential breach.
“A message that asks for sensitive information or needs something urgently should immediately raise a red flag,” said Decker.
Decker also recommends hovering your curser over the link to check the URL and, if it isn’t familiar, to immediately report the email to your cybersecurity or IT team and delete the email. Likewise, you should always confirm an email’s legitimacy before opening any attachment. “If you’re unsure, confirm the message is legitimate through an out of band channel other than the email you received, such as calling the sender or opening a new email to your contact,” he added.
Challenge Continues to Grow
The challenge ahead is that cyberattacks are becoming increasingly complex. “Cybercrime doesn’t differentiate on the size of the organization,” said Decker. “In fact, criminals are targeting smaller organizations specifically because their security tends to be less sophisticated.”
Furthermore, due to the expansion of medical imaging being done outside the hospital and the use of ambulatory imaging centers, the footprint of potential targets is also increasing. For example, in 2019, security researchers proved, through a proof-of-concept study, that they could intercept medical imaging from CT scanners and ‘add’ or ‘remove’ cancer from the studies.
“The good news is that radiologists and hospitals no longer have to face the threat alone,” Decker said. “They now have 405(d) to guide them.”
The 405(d) program, the result of a public-private partnership of the U.S. Department of Health and Human Services, provides the health care and public health sector with useful and impactful resources, products and tools that help raise awareness and provide vetted cybersecurity practices.
“This program and its various outputs represent the playbook for best practices in managing and mitigating cybersecurity threats,” Decker said. “As such, it should be a staple in every radiology practice.”
Decker also referenced the 2021 amendment to the Health Information Technology for Economical and Clinical Health Act (Public Law No. 116-321), which went into effect earlier this year. “According to this regulation, if you implement recognized cyber security practices, such as those outlined by the 405(d) program, Health and Human Services must take this into consideration when making decisions on things like audits and enforcement,” he added.
Access the presentation, “Cybersecurity for Radiology Practices,” (S1-CIN01) on demand at Meeting.RSNA.org.